summaryrefslogtreecommitdiff
path: root/doc/todo
diff options
context:
space:
mode:
Diffstat (limited to 'doc/todo')
-rw-r--r--doc/todo/mailnotification.mdwn18
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/todo/mailnotification.mdwn b/doc/todo/mailnotification.mdwn
index 5aae98894..858141008 100644
--- a/doc/todo/mailnotification.mdwn
+++ b/doc/todo/mailnotification.mdwn
@@ -13,6 +13,24 @@ Should support mail notification of new and changed pages.
Joey points out that this is actually a security hole, because Perl
regexes let you embed (arbitrary?) Perl expressions inside them. Yuck!
+(This is not actually true unless you "use re 'eval';", without which
+(?{ code }) is disabled for expressions which interpolate variables.
+See perldoc re, second paragraph of DESCRIPTION. It's a little iffy
+to allow arbitrary regexen, since it's fairly easy to craft a regular
+expression that takes unbounded time to run, but this can be avoided
+with the use of alarm to add a time limit. Something like
+
+ eval { # catches invalid regexen
+ no re 'eval'; # to be sure
+ local $SIG{ALRM} = sub { die };
+ alarm(1);
+ ... stuff involving m/$some_random_variable/ ...
+ alarm(0);
+ };
+ if ($@) { ... handle the error ... }
+
+should be safe. --[[WillThompson]])
+
It would also be good to be able to subscribe to all pages except discussion pages or the SandBox: `* !*/discussion !sandobx`, maybe --[[Joey]]
3. Of course if you do that, you want to have form processing on the user